On Thu, 14 Mar 2002, Jason Badry wrote: > I currently have logging turned on, as it is nice to have logging going > when someone calls with an issue and you can check the history. > > One thing I noticed, is the POP3 logging includes whatever password the > client sent in (apop or plain text or whatever). Since I can't force the > clients to use POP3, is there a way to not log the password? This seems > like a serious sercurity issue to have a file on your hard drive with > plain-text passwords. > > On this topic, I joined the Xmail-WAI mail-list, but haven't gotten any > receipts or replies on that mail list yet. I'm sure some of you are using > this... Xmail and Xmail-WAI are now working fairly well for me, but I'm > very concerned about having my Xmail and Xmail-WAI admin passwords in > plain-text in the config.xml file. Xmail-WAI also displays the user's > password in plain-text when they are logged in. This seems very in-secure > to me. > > Also, in Win2K, what directory permissions do you use for the xmwconfig and > xmadmin directorys? I had Administrator/System full, but I had to enable > Full for Everyone to get MailProc and other functions working in > Xmail-Wai. Any tips would be appreciated. > > For now, I'm only going to use Xmail-WAI for on-machine administration and > I've blocked all http traffic to the box. Anyone else have thoughts on > these security issues?
XMail needs plain password because of CRAM-MD% authentication and if you setup correctly the permissions to the MAIL_ROOT directory nobody can see such files. Just give full access to SYSTEM and Administrators and no access to everyone else. - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
